You Have One Year to Make GDPR Your Biggest Security Victory EverThe EU's new razor-toothed data privacy law could either rip you apart or help you create the best security program you've ever had. Here's how.
This is not a drill. One year from today, the grace period for the European Union's General Data Protection Regulation (GDPR) ends, and enforcement begins.
The bad news: GDPR has rigorous rules -- like a 72-hour breach notification window -- and sharp teeth -- like fines of up to 20 million Euros or 4% of your annual "turnover" (roughly equivalent to revenue), whichever is higher. And despite that, chances are high that you won't be ready to comply by the deadline if you even realize that you have to comply in the first place.
The good news is that it could help you do many of the things you should have done and wanted to do all along: data inventory, better monitoring, principles of least-privileges, encryption, secure application development, and a better understanding of the business you support.
How do you get there in 12 months? Here are some guidelines.
Assemble your team.
Team - as in Infosec, Privacy, and Compliance. But you also need to loop in other groups, such as:
Marketing. "You've got to have enforceable rules about what marketing does with people's data," says ESET senior security researcher Stephen Cobb.
Your marketers may use private data the most, and may already be aware of GDPR's coming impact on their operations. One ad-serving technology company executive told Advertising Age recently, GDPR is "ripping the digital ecosystem apart" and the CEO of the DMA (Direct Marketing Association) group said in a statement last month that the GDPR deadline of "May 2018 should be a date that is in every marketer's diary."
HR. GDPR does not only apply to customers' data. It also applies to your employees' information.
Development/DevOps. GDPR has stipulations for "data protection by design and by default," which will have implications for the secure development of any applications. There are also new mandates for data collection and use-consent that will require changes to more than just autocheck boxes on your Web forms and the opt-out functions of your newsletters.
Communications/PR. The 72-hour breach notification response time will require planning. In addition, an official process for handling privacy violation complaints will need to be established.
Legal. Compliance cannot be outsourced. Contracts with third parties may need to be revisited.
Data Protection Officer, if you need one. GDPR mandates that certain organizations, depending upon several factors, will need someone explicitly assigned to the task of protecting data. According to the International Association of Privacy Professionals, 100% of the large enterprises in information and communication will need a DPO, as well as 100% of financial institutions and insurance firms. IAPP estimates that there will be a need for 75,000 DPOs worldwide, including roughly 9,000 in the US alone.
Although there are rules about the DPO being independent from the organization, these responsibilities could be assigned to an existing role, a new person could be hired, or the job could be outsourced.
According to a survey by Blancco Technology Group, DPOs are not typical and costly. Fifty-nine percent of American companies are most likely to assign the responsibilities of DPO to an existing role, according to the survey. Half of respondents to a survey by Varonis say their organization does not yet have a DPO, but 47% of those that are planning to appoint one expect the individual to have a primarily IT-based professional background.
Assess your exposure.
Does GDPR apply to you? "You increase your risk by first of all not knowing if you were covered," says Cobb. As Cobb explained in a blog: "Your firm probably needs to comply with GDPR if: You monitor the behavior of data subjects who are located within the EU; You're based outside the EU but provide services or goods to the EU (including free services); or You have an 'establishment' in the EU, regardless of where you process personal data (e.g. cloud-based processing performed outside of the EU for an EU-based company is subject to the GDPR)."
Do you know what "private data" means in the EU? The definitions, which still vary somewhat by country, are far broader than the American understanding of personally identifiable information. Information about location, income, cultural information like religion and political affiliation, and perhaps even one's shoe size is protected under law. Also, "Child" means something different – in the US, parental consent is needed for minors under age 13, but in the EU, if parental consent is required for children, it means kids under 16.
How many EU citizens do you have in your databases – internal and external users? Remember too, that Brexit does not absolve you from worrying about UK citizens. The UK is not officially scheduled to leave the Union until March 29, 2019. Also, 68% of respondents to the Varonis survey expect that any British organization that violates GDPR will be "made an example of," as recompense for Brexit; 57% believe the UK will be among the top three most rigorous enforcers of the law while the country remains in the EU.
In how many countries do you operate? The more countries' citizen privacy you've violated, the worse the penalties may be.
In which countries do you operate? Certain countries have a more vigorous privacy culture and history of privacy activism and are expected to enforce the regulation – either from a top-down or bottom-up approach – more rigorously than others.
How much of your business model relies on profiling? This can fall into a lot of categories, from target marketing to loan approval. All the information about income bracket, geography, age, and favorite color so frequently requested in Web forms will now be protected by law. (The rules against profiling could even have implications for any automated surveillance controls you have in place to watch out for insider security threats.) Read more at the IAPP: https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-5-profiling/
How much of your business model relies upon the processing of data? If you're an IT or telecommunications company that transmits or stores data, you fit into this category alongside the payment and payroll processors.
Know Your GDPR:
Article 35: data protection impact assessment. It isn't the first article that pertains to cybersecurity, but it's the first one you should think about. According to the Blancco survey, 41% of American organizations are currently undergoing a data protection gap analysis.
Article 7: consent. As the International Association of Privacy Professionals explains, "silence, pre-ticked boxes or inactivity" are not adequate ways of conferring consent. Also, GDPR gives data subjects the right to withdraw consent at any time and, as the law mandates "it shall be as easy to withdraw consent as to give it."
Article 16: right to rectification. EU citizens have the right to have inaccurate information about themselves corrected. As CEO and founder of Seclore Vishal Gupta wrote in a column for Dark Reading earlier this month, "At first this sounds simple, but it comes increasingly complex as you factor in third-party vendors that have come into possession of the data. Complying with this will require additional controls that allow organizations to either alter or delete data that has already left the network."
Article 17: right to erasure (right to be forgotten): As IAPP explains, "This right allows individuals to request the deletion of personal data, and, where the controller has publicized the data, to require other controllers to also comply with the request."
Article 25: data protection by design and by default. As Roxane Suau of Pradeo describes it: "This is one of the most important aspects of GDPR. On the one hand, it is expected companies will include data privacy protection as part of their development process. On the other hand, they must apply the appropriate technical means and methods and organizational processes to ensure only relevant data collection, processing and storage."
Article 30: records of processing activities. Article 30 states that written records be kept about data subjects, data recipients, cross-border data transfers, and security measures placed upon them. These records must be presented to data protection authorities on request.
Article 32: security of data processing. Article 32 is the biggest cybersecurity Article, but it allows for some risk management. It requires data controllers and processors "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk," including measures like pseudonymization/encryption; the ability to guarantee confidentiality, integrity, and availability; the ability to restore access to data in a timely manner after an incident, and; a process for regular security testing.
Articles 33-34: breach notifications to supervisory authorities and data subjects (within 72 hours of breach discovery)
Article 46: transfers subject to appropriate safeguards. As Gupta wrote, this addresses the concern that when European citizen data gets "transferred outside the EU, it can become subject to surveillance by nation-states." To remain in compliance with this article, Gupta recommends data-level security tools that will hold security precautions in place while it travels. These precautions will also help meet the requirements of Privacy Shield.
Respondents to both reports from Varonis and Blancco named the right to be forgotten, the records of data processing activities, security of data processing, and the 72-hour breach notification rule, as the biggest concerns.
Find your data. Start monitoring.
"What you can't do is expect to navigate all that without knowing where that data is and what data you've got," Cobb says.
"If an organization cannot find their customers’ data, how will they be capable of erasing the data and complying with the EU GDPR’s requirement” for the “right to be forgotten,” said Richard Stiennon, chief strategy officer for Blancco Technology Group, in a statement. Stiennon goes on to say that companies often use “insecure and unreliable data removal methods, such as basic deletion and free data wiping software.”
Brian Vecci, technical evangelist of Varonis, agrees and suggests organizations that are behind start simply by instituting basic monitoring, followed by automatic data classification.
Without at least knowledge of what data you have and how it's being used, Vecci says, it's impossible to institute any practices of least privilege or keep adequate records. "It's like trying to clean up your garage in the dark," he says. "Just turn on the lights."
NEXT PAGE: Set new process, policies, enforcement fot GDPR
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
1 of 2